Disclosed herein are methods, systems, and apparatus for securely executing smart contract operations in a trusted execution environment (TEE). One of the methods includes receiving, by a blockchain node participating in a blockchain network, a request to execute one or more software instructions in a service TEE hosted by the blockchain node, wherein the request is encrypted by a public key associated with the service TEE; decrypting the request with a first private key associated with the service TEE, wherein the first private key is paired with the public key; in response to decrypting the request, executing the one or more software instructions to produce an execution result; encrypting the execution result with a client encryption key associated with the service TEE to produce an encrypted result; and signing the encrypted result using a second private key associated with the TEE to produce a signed encrypted result.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A computer-implemented method for securely executing smart contract operations in a trusted execution environment (TEE), the method comprising: receiving, by a blockchain node participating in a blockchain network, a request to execute one or more software instructions associated with a smart contract in a service TEE hosted by the blockchain node, wherein the request is encrypted by a first public key associated with the service TEE; decrypting, by the blockchain node in in the service TEE, the request with a first private key associated with the service TEE, wherein the first private key is paired with the first public key; in response to decrypting the request, executing, by the blockchain node in the service TEE, the one or more software instructions to produce an execution result; encrypting, by the blockchain node in the service TEE, the execution result with a client encryption key associated with the service TEE to produce an encrypted result, wherein the client encryption key is one of a second public key or a symmetric key derived from a root key based on a key derivation function, and wherein the root key is selected from a plurality of root keys based on a state of the smart contract; and signing, by the blockchain node in the TEE, the encrypted result using a second private key associated with the TEE to produce a signed encrypted result.
2. The computer-implemented method of claim 1 , wherein the blockchain node further hosts a key management TEE that stores one or more of the first private key, the second private key, and wherein the key management TEE provides the first private key, the second private key, and the root key to the service TEE after an identity of the service TEE is authenticated based on performing a local attestation initiated by the key management TEE.
3. The computer-implemented method of claim 2 , wherein the first private key, the second private key, and the root key are generated by a key management center and are provided to the key management TEE after an identity of the key management TEE is authenticated based on performing a remote attestation initiated by the key management center.
4. The computer-implemented method of claim 2 , wherein the first private key and the root key are provided by the key management TEE to the service TEE in response to a rebooting operation of the service TEE.
5. The computer-implemented method of claim 2 , wherein the plurality of the root keys are stored in the key management TEE.
6. The computer-implemented method of claim 3 , wherein the first public key is generated by the key management center and provided to a client for encrypting the request.
7. The computer-implemented method of claim 1 , wherein the request received by the blockchain node further includes using the client encryption key to encrypts the one or more software instructions.
8. The computer-implemented method of claim 7 , wherein decrypting the request with the first private key further comprises: decrypting the client encryption key with the first private key; and decrypting the one or more software instructions with the client encryption key.
9. The computer-implemented method of claim 3 , wherein the key management center stores a verification public key that corresponds to the second private key and provides the verification public key to a client for verifying the signed encrypted result.
10. A non-transitory, computer-readable storage medium storing one or more instructions executable by a computer system to perform operations for securely executing smart contract operations in a trusted execution environment (TEE), the operations comprising: receiving, by a blockchain node participating in a blockchain network, a request to execute one or more software instructions associated with a smart contract in a service TEE hosted by the blockchain node, wherein the request is encrypted by a first public key associated with the service TEE; decrypting, by the blockchain node in in the service TEE, the request with a first private key associated with the service TEE, wherein the first private key is paired with the first public key; in response to decrypting the request, executing, by the blockchain node in the service TEE, the one or more software instructions to produce an execution result; encrypting, by the blockchain node in the service TEE, the execution result with a client encryption key associated with the service TEE to produce an encrypted result, wherein the client encryption key is one of a second public key or a symmetric key derived from a root key based on a key derivation function, and wherein the root key is selected from a plurality of root keys based on a state of the smart contract; and signing, by the blockchain node in the TEE, the encrypted result using a second private key associated with the TEE to produce a signed encrypted result.
11. The non-transitory, computer-readable storage medium of claim 10 , wherein the blockchain node further hosts a key management TEE that stores one or more of the first private key, the second private key, and wherein the key management TEE provides the first private key, the second private key, and the root key to the service TEE after an identity of the service TEE is authenticated based on performing a local attestation initiated by the key management TEE.
12. The non-transitory, computer-readable storage medium of claim 11 , wherein the first private key, the second private key, and the root key are generated by a key management center and are provided to the key management TEE after an identity of the key management TEE is authenticated based on performing a remote attestation initiated by the key management center.
13. The non-transitory, computer-readable storage medium of claim 11 , wherein the first private key and the root key are provided by the key management TEE to the service TEE in response to a rebooting operation of the service TEE.
14. The non-transitory, computer-readable storage medium of claim 11 , wherein the plurality of the root keys are stored in the key management TEE.
15. The non-transitory, computer-readable storage medium of claim 12 , wherein the first public key is generated by the key management center and provided to a client for encrypting the request.
16. The non-transitory, computer-readable storage medium of claim 10 , wherein the request received by the blockchain node further includes using the client encryption key to encrypts the one or more software instructions.
17. The non-transitory, computer-readable storage medium of claim 16 , wherein decrypting the request with the first private key further comprises: decrypting the client encryption key with the first private key; and decrypting the one or more software instructions with the client encryption key.
18. The non-transitory, computer-readable storage medium of claim 12 , wherein the key management center stores a verification public key that corresponds to the second private key and provides the verification public key to a client for verifying the signed encrypted result.
19. A computer-implemented system, comprising: one or more computers; and one or more computer memory devices interoperably coupled with the one or more computers and having tangible, non-transitory, machine-readable media storing one or more instructions that, when executed by the one or more computers, perform one or more operations for securely executing smart contract operations in a trusted execution environment (TEE), the operations comprising: receiving, by a blockchain node participating in a blockchain network, a request to execute one or more software instructions associated with a smart contract in a service TEE hosted by the blockchain node, wherein the request is encrypted by a first public key associated with the service TEE; decrypting, by the blockchain node in in the service TEE, the request with a first private key associated with the service TEE, wherein the first private key is paired with the first public key; in response to decrypting the request, executing, by the blockchain node in the service TEE, the one or more software instructions to produce an execution result; encrypting, by the blockchain node in the service TEE, the execution result with a client encryption key associated with the service TEE to produce an encrypted result, wherein the client encryption key is one of a second public key or a symmetric key derived from a root key based on a key derivation function, and wherein the root key is selected from a plurality of root keys based on a state of the smart contract; and signing, by the blockchain node in the TEE, the encrypted result using a second private key associated with the TEE to produce a signed encrypted result.
20. The computer-implemented system of claim 19 , wherein the blockchain node further hosts a key management TEE that stores one or more of the first private key, the second private key, and wherein the key management TEE provides the first private key, the second private key, and the root key to the service TEE after an identity of the service TEE is authenticated based on performing a local attestation initiated by the key management TEE.
21. The computer-implemented system of claim 20 , wherein the first private key, the second private key, and the root key are generated by a key management center and are provided to the key management TEE after an identity of the key management TEE is authenticated based on performing a remote attestation initiated by the key management center.
22. The computer-implemented system of claim 20 , wherein the first private key and the root key are provided by the key management TEE to the service TEE in response to a rebooting operation of the service TEE.
23. The computer-implemented system of claim 20 , wherein the plurality of the root keys are stored in the key management TEE.
24. The computer-implemented system of claim 21 , wherein the first public key is generated by the key management center and provided to a client for encrypting the request.
25. The computer-implemented system of claim 19 , wherein the request received by the blockchain node further includes using the client encryption key to encrypts the one or more software instructions.
26. The computer-implemented system of claim 25 , wherein decrypting the request with the first private key further comprises: decrypting the client encryption key with the first private key; and decrypting the one or more software instructions with the client encryption key.
27. The computer-implemented system of claim 21 , wherein the key management center stores a verification public key that corresponds to the second private key and provides the verification public key to a client for verifying the signed encrypted result.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
October 31, 2019
November 17, 2020
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.